Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Format String Vulnerabilities in Perl Programs

From: Chris Umphress <umphress () gmail com>
Date: Sat, 3 Dec 2005 23:47:56 -0800
On 12/2/05, Steven M. Christey <coley () mitre org> wrote:


*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
Format String Vulnerabilities in Perl Programs
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*


Almost all of the statements refer to a number of programming
languages if thought is not put into the program. Security requires
thought. A program that is not thought out will not be secure, and the
language it is written in cannot protect against this. Anyhow, I get
ahead of myself.


   The possibility of CRLF injection was theorized, but a casual
   investigation was not successful.


\r\n ?? \x0d\x0a ??


**********************************************************************
4. Some Discussion on Format Strings and the Taint Checker
**********************************************************************

In 5.004:

   The taint checker apparently does not flag filenames as tainted
   (e.g. as obtained from the readdir() function).  Presumably, other
   types of "indirect input" may not be tainted.  However, it does
   identify more direct sources of input such as stdin and environment
   variables.


It shouldn't have to. As Linus Torvalds says -- You should think
through your code rather than expecting a tool to find the problem for
you [1].


Notes on Detecting Vulnerabilities in Source Code
-------------------------------------------------

Detection of suspicious code is slightly more difficult than it is for
C code.  Constant strings can contain Perl entities such as variables
or references, which are inserted into the string before it is passed
to printf/sprintf.

  $fmt = <USER_INPUT>;
  printf("THIS IS A POTENTIALLY VULNERABLE $fmt FORMAT STRING\n");


That is probably the closest thing to a feasible mistake for someone
who is thinking about the code they are writing (IMO). If you aren't
performing a string insertion of some kind, "print" is far better.
While I do understand the argument to some degree, "print" is the most
common way to display text (from my own experience, "print" usage is
much more common in scripting languages than printf).


[1] Linus Torvalds, Linux Kernel Mailing List, Mar 19 2000,
http://www.uwsg.iu.edu/hypermail/linux/kernel/0003.2/0939.html

--
Chris Umphress <http://daga.dyndns.org/>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: